mesos-reviews mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Till Toenshoff" <toensh...@me.com>
Subject Re: Review Request 42027: Changed HTTP responses from Unauthorized (401) to Forbidden (403).
Date Wed, 20 Jan 2016 19:37:53 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/42027/#review115423
-----------------------------------------------------------

Ship it!



src/master/http.cpp (lines 548 - 551)
<https://reviews.apache.org/r/42027/#comment176419>

    To prosterity; this means that we currently do not support mixed usage of old API and
HTTP API for frameworks as soon as the master has enabled mandatory framework authentication.


- Till Toenshoff


On Jan. 20, 2016, 2:03 p.m., Alexander Rojas wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/42027/
> -----------------------------------------------------------
> 
> (Updated Jan. 20, 2016, 2:03 p.m.)
> 
> 
> Review request for mesos, Alexander Rukletsov, Greg Mann, Joerg Schad, Jan Schlicht,
and Till Toenshoff.
> 
> 
> Bugs: MESOS-4305
>     https://issues.apache.org/jira/browse/MESOS-4305
> 
> 
> Repository: mesos
> 
> 
> Description
> -------
> 
> It is a common pattern within Mesos to return an HTTP 401 (Unauthorized) response whenever
the request is invalid for whatever reason. However, according to the [RFC-2617 Section 1.2](https://tools.ietf.org/html/rfc2617#section-1.2):
> > The 401 (Unauthorized) response message is used by an origin server  to challenge
the authorization of a user agent. This response MUST include a WWW-Authenticate header field
containing at least one challenge applicable to the requested resource.
> 
> Meaning that despite the confusing name, the status code _401 Unauthorized_ should be
used only for authentication purposes. On the other hand, the [RFC-2616 Section 10.4.4](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4)
states:
> > _(403 Forbidden is returned when)_ The server understood the request, but is refusing
to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the
request method was not HEAD and the server wishes to make public why the request has not been
fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does
not wish to make this information available to the client, the status code 404 (Not Found)
can be used instead.
> 
> As such, _403 (Forbidden)_ seems to be a better return code when replying inside endpoint
handlers, while _401 (Unauthorized)_ should be left to the HTTP Authenticators only.
> 
> 
> Diffs
> -----
> 
>   docs/authorization.md a928f1722dc67cd791d78ebbe4591f2e8f2e8f2a 
>   src/master/http.cpp 34a70ee50553492fc8c3947497ab5922f4379d72 
>   src/master/quota_handler.cpp f44736cd5849d4fb22a75c1238d433a1c0c9708d 
>   src/tests/master_quota_tests.cpp e8cb074c2913cafdc6b1792896f29e53f1210c9d 
>   src/tests/persistent_volume_endpoints_tests.cpp f0cce190abc90f0fae84d6c3db20e8215c2d8132

>   src/tests/reservation_endpoints_tests.cpp b8edd6fafedd4c2221a8d19c1ebc71254071a8c7

>   src/tests/scheduler_http_api_tests.cpp 143bd414c6d9ad0b7b7c23c390b7d497e4be3e6d 
>   src/tests/teardown_tests.cpp 97cc89ba168aefff8512f6d1a25c4f7ddf180bae 
> 
> Diff: https://reviews.apache.org/r/42027/diff/
> 
> 
> Testing
> -------
> 
> make check
> 
> 
> Thanks,
> 
> Alexander Rojas
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message